Iptables trouble

Support for security such as Firewalls and securing linux
supertight
Posts: 98
Joined: 2017/02/07 21:47:51

Iptables trouble

Postby supertight » 2017/06/02 22:15:55

I need some clarification.

I set a table rule for the IP/MAC of my main work station. Once I set the rule, the server should accept EVERYTHING from that MAC/IP combo, correct?
Because It keeps locking me out of ssh regardless. Do I need to set a table rule that allows each individual service to that mac/ip combo?

I'm confused. But, hey. What's new. lol

Thanks for reading.

Whoever
Posts: 949
Joined: 2013/09/06 03:12:10

Re: Iptables trouble

Postby Whoever » 2017/06/03 01:59:30

Is the system from which you are trying to connect via SSH in the same LAN?

If you are concerned about security for ssh, you should probably disable password authentication in /etc/ssh/sshd_config. Use ssh public/private key pairs instead.

supertight
Posts: 98
Joined: 2017/02/07 21:47:51

Re: Iptables trouble

Postby supertight » 2017/06/03 02:31:16

supertight wrote:I need some clarification.

I set a table rule for the IP/MAC of my main work station. Once I set the rule, the server should accept EVERYTHING from that MAC/IP combo, correct?
Because It keeps locking me out of ssh regardless. Do I need to set a table rule that allows each individual service to that mac/ip combo?

I'm confused. But, hey. What's new. lol

Thanks for reading.


My Iptable be lookin like

Code: Select all

# Flush all current rules from iptables
  iptables -F

# Set access for localhost
 iptables -A INPUT -i lo -j ACCEPT

# Http/ Https/ ssh/ svr5/
iptables -A INPUT -s 192.168.1.0/24 -m mac --mac-source 70:88:6b:81:63:2d -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT


# Accept packets belonging to established and related connections
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# ICMP ECHO (ping) =
  iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT ACCEPT

# Save settings
  /sbin/service iptables save

# List rules
  iptables -L -v

supertight
Posts: 98
Joined: 2017/02/07 21:47:51

Re: Iptables trouble

Postby supertight » 2017/06/03 02:47:57

Whoever wrote:Is the system from which you are trying to connect via SSH in the same LAN?

If you are concerned about security for ssh, you should probably disable password authentication in /etc/ssh/sshd_config. Use ssh public/private key pairs instead.


I have the key pairs setup. As soon as I get this firewall thing figured out, I can put those into play.
I'm hosting a few different domains. I have a server setup as a reverse proxy running NGINX.
I want the hosting servers to accept requests from my proxy server only.

Edit: Yes, they are on the same LAN.

supertight
Posts: 98
Joined: 2017/02/07 21:47:51

Re: Iptables trouble

Postby supertight » 2017/06/03 03:50:46

I just don't get it.

Code: Select all

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Works. Works fiiiiine.

Trying to tighten the rule? NO LUCK!! lol

Add the IP:

Code: Select all

iptables -A INPUT -p tcp -s ###.###.###.15 --dport 22 -j ACCEPT


Add the IP and MAC:

Code: Select all

iptables -A INPUT -p tcp -s ###.###.###.15 -m --mac-address ##:##:##:##:##:## --dport 22 -j ACCEPT


S'not working.

User avatar
TrevorH
Forum Moderator
Posts: 20958
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Iptables trouble

Postby TrevorH » 2017/06/03 12:20:28

Post the output from iptables-save with one of the non-working rules in place. Also what are the ip addresses of both server and client.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

supertight
Posts: 98
Joined: 2017/02/07 21:47:51

Re: Iptables trouble

Postby supertight » 2017/06/03 15:35:19

TrevorH wrote:Post the output from iptables-save with one of the non-working rules in place. Also what are the ip addresses of both server and client.


Oi, Mate.

Code: Select all

cd iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere   
    0     0 ACCEPT     tcp  --  any    any     192.168.1.15         anywhere            tcp dpt:ssh
    2   104 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-request

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2 packets, 264 bytes)
 pkts bytes target     prot opt in     out     source               destination



The server is 192.168.1.12
The client is 192.168.1.15

Cheers -

supertight
Posts: 98
Joined: 2017/02/07 21:47:51

Re: Iptables trouble

Postby supertight » 2017/06/03 16:19:43

supertight wrote:
TrevorH wrote:Post the output from iptables-save with one of the non-working rules in place. Also what are the ip addresses of both server and client.


Oi, Mate.

Code: Select all

cd iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere   
    0     0 ACCEPT     tcp  --  any    any     192.168.1.15         anywhere            tcp dpt:ssh
    2   104 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-request

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2 packets, 264 bytes)
 pkts bytes target     prot opt in     out     source               destination



The server is 192.168.1.12
The client is 192.168.1.15

Cheers -


- Turned the tables off from the console.
- SSH into the system from .15
- Ran firewall script, with rule:

Code: Select all

iptables -A INPUT -p tcp -s 192.168.1.15 --dport 22 -j ACCEPT
- Existing SSH connection remains stable.

I'm going to try and add

Code: Select all

-m state --state NEW

User avatar
TrevorH
Forum Moderator
Posts: 20958
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Iptables trouble

Postby TrevorH » 2017/06/03 16:35:06

That's not what I asked for. Run iptables-save and post the output.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

supertight
Posts: 98
Joined: 2017/02/07 21:47:51

Re: Iptables trouble

Postby supertight » 2017/06/03 19:17:22

I figured out what was going on....

- The server was 192.168.10.5(the earlier number was false)
- The client has two(2) interfaces, that's was the beginning of my headache. (eth0=192.168.1.15 & eth1=192.168.10.3)
- I can write the rule for 192.168.10.3 and I get access.

If I try to set to rule to 192.168.1.15 and -b to eth1, the rule doesn't work.
- Then it dawned on me. The router between the subnet's changes the ip on the packet.
- eth1 comes into the router @ "192.168.1.15" But leaves the router "192.168.10.2"

Thanks for helping work it out guys. I can carry on with my configurations now.